A simple technology invented by Bell Labs over 20
years ago (and widely used today) could have prevented the Colonial Pipeline attack.
In 1880, the French government awarded Alexander Graham Bell
roughly the equivalent of $300K as a prize for inventing the telephone. He used
the award to fund the research laboratory that became colloquially known as
Bell Labs. If you’re not familiar with Bell Labs, you should be. In the 140+ years
that followed, researchers at Bell Labs
invented radio astronomy, transistors, lasers, solar cells, information theory,
and UNIX, just to name a few of the many accomplishments. Among the many
prestigious awards
granted to Bell Labs researchers are nine Nobel prizes and twenty-two IEEE
Medals of Honor.
In 1998, I joined AT&T Labs, which was a
research group that the company retained when they spun out most of Bell Labs
to Lucent Technologies in 1996. I was a Web Application developer; one of the
least technical roles in the Labs. If I ever thought for a moment that I knew technology,
I was quickly humbled when I built an app that tracked the Labs' actually important
projects. The experience of working in the Labs stuck with me in the form of humility
and curiosity. I accepted that I may never be the foremost expert in any given technology
and I assumed the mindset of a forever student. Even today, I constantly question
what I think I know because there are always holes in my knowledge or perspectives
that I haven’t seen.
1998 was the same year that researchers at AT&T Labs were issued a patent (filed in 1995) for
what became known in our industry as Multi-Factor Authentication (MFA). As a Product
Manager at a tech firm, I don’t review patents for legal reasons. But I recently saw an excerpt
of the abstract for the AT&T patent and there was one line that I found entertaining:
“A preferred method of alerting the customer and receiving a confirmation to
authorize the transaction back from the customer is illustratively afforded by
conventional two-way pagers.” Not much has changed in 23 years. Pagers have
been largely replaced by SMS but text messaging through the telecom provider’s
network remains one of the most popular delivery mechanisms for MFA (despite some
potential
security flaws).
I have no personal insight into AT&T’s
motivations at the time, but I read Kevin Mitnick’s book a few years ago (Ghost in the Wires)
and can’t help but wonder if AT&T was at the forefront of developing
security technologies because they were such a target of hackers for so many years. I also reached out to Steve Greenspan, one of the inventors named in the patent to get his thoughts on the project. He noted:
"Two-way pagers had just come out (1994-1995), and our cybersecurity
friends were debating whether quantum computing would undermine
password-based security. The goal was to explore business applications for
two-way pagers and to put humans in-the-loop for secure access."
Quantum computing is a a pretty interesting business driver for MFA, especially in the mid-1990's. The concern is even more relevant today as we inch closer to quantum compute becoming a practical reality. Today's authentication systems should store password data in non-reversible hashes (theoretically preventing the quantum threat), but it's clear that credentials are being stolen all the time (often via large databases that are just left unprotected) and MFA remains a top solution to mitigate the damage. Steve and team were clearly on the right track when they dreamed up out-of-band authentication and deserve some credit and recognition for the foresight.
You may be wondering how this relates to the pipeline attack
that led to fuel shortages across the U.S. East Coast. Bloomberg
reported
that the Colonial Pipeline, which is the largest fuel pipeline in the country,
was taken down by a single compromised password. That should never happen given the variety of tools available to limit and control access, starting with MFA – a
relatively simple solution that would likely have prevented the attack. The
entry point to the system was a Virtual Private Network (VPN) account. If you’re using a VPN and expose anything
sensitive inside the VPN, you should implement strong authentication that includes
at least two authentication factors (something you know, something you have, something you are). These are widely available technologies
that are very effective against lost or stolen credentials.
Of course, authentication isn’t the end of the story. Today’s
widely distributed and highly dynamic environments require multiple layers of
security. We all know how popular email and phishing attacks have become. It only
takes one person inside a network to open an email, click a link, or logon to a
phishing site to give an adversary a foothold in the network. We have to assume
that will happen and build layers of strong security between any one user and
the potential targets.
To illustrate the point, here’s a quick example:
Grocery stores who sell small, high-value
items have traditionally struggled with theft. (Ask me over a beer sometime about how I helped take down a recurring thief when I worked at a grocery store.) If the only answer was to authenticate
users (check ID) on the way into the store, it wouldn't be enough. Once inside, someone
can still pocket items and walk out without paying. If you walk into a
grocery store today, you’ll see cameras in the healthcare aisle where small, expensive
medications line the shelves. But that’s not enough either. Each item is also
locked in an anti-theft device that’s removed at the register. And some items
are found in a locked cabinet that requires employee assistance. Theft still
happens, but each layer reduces the risk. Our IT environments are much more
complicated in terms of the various pathways to theft and our responses to
reduce risk typically require more than a few layers of security.
Sensitive data should only be stored in a secure area of the
network with access controls and Least Privilege enforcement. Access
should be limited to specific hosts or networks. Data should be encrypted (inside
the file when possible - so if the file is stolen, the data is still unusable). There
should be strong authentication to get into the network and monitoring of all
activity. There should be alerts on unusual behavior and Data Loss Prevention
(DLP) to evaluate the sensitivity of data moving across the network. The environment
should be scanned regularly for vulnerabilities and misconfigurations. And on
and on. Any one of these security mechanisms alone is not enough. This multi-layered
approach to security is critical in developing a strong security posture that minimizes
risk.
We could argue about where to start or which security
controls are most important. But, it seems like a no-brainer to implement MFA
for employees accessing corporate data and applications. Microsoft, who deals
with 300 million fraudulent sign-in attempts daily concluded
that “MFA can block over 99.9 percent of account compromise attacks.”
That sounds about right. While targeted attacks have increased in prevalence, most
attacks are not targeted at specific companies or individuals. Most start with automated
scripting or broad-scale phishing attacks that span across potentially thousands
of companies and/or millions of people at the same time. When a foothold is found
(a script finds a vulnerability or an open port, a user enters credentials into
the phishing site, etc.), the attack begins. Implementing a few simple security technologies
like automated vulnerability scanning and MFA can prevent most attacks before
they begin. Even if a sophisticated phishing attack succeeds despite MFA, the
credentials will not be very useful beyond the initial session (which should be
limited in scope by other controls).
No single technology will solve all cybersecurity problems.
But, implementing MFA is low-cost, easy-to-implement, and highly effective. It
may even make life easier for end-users. Password requirements can be loosened because
there’s less risk associated with cracked passwords. And there are numerous implementations
of passwordless authentication that, while they may not always meet the strict
definition of MFA, provide similar (sometimes higher) levels of security as MFA
without requiring a password. Combined with context-aware adaptive security (that
verifies device, network, location, time-of-day, etc.), these passwordless
authentication options may provide the right level of balance between security
and user experience. At this point, this isn’t scare tactics or FUD. Attacks on National infrastructure or other high-profile targets can impact the lives of millions with a single execute
command. MFA is an easy layer to add to improve security and it’s
commonly included with authentication solutions, so there’s really no excuse.
It’s time to get it done.